A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker.
Open VSX is a community-driven registry for extensions compatible with VS Code, which are popular with AI-powered integrated development environments (IDEs) like Cursor and Windsurf.
The extension is still present on Open VSX as 'juan-bianco.solidity-vlang', albeit with a warning from the platform, and has been downloaded more than 53,000 times.
When initially submitted on October 31st, the extension was harmless and received malicious capabilities with an update the next day, when the download count had already reached 14,000.
According to a report from extension security platform Secure Annex, a notable feature in SleepyDuck is the use of Ethereum contracts to update its command-and-control (C2) server address and achieve long-term persistence.
Even if the default C2 server at sleepyduck[.]xyz is taken down, the contract on the Ethereum blockchain allows the malware to remain functional.
Since its submission to Open VSX with version 0.0.7 and until version 0.1.3 published on November 2nd, the juan-bianco.solidity-vlang package was downloaded 53,439 times and has only one 5-star rating from its author.
Malicious package on Open VSX
Source: BleepingComputer
It should be noted that author of the malic
... continue reading